Is Safety Standard Same for Everyone? User-Specific Safety Evaluation of Large Language Models

🔼 The figure showcases the evaluation protocol used in the U-SafeBench benchmark. Panel (a) demonstrates the process for assessing user-specific safety. An LLM receives a user profile (e.g., someone with depression) and an instruction. The LLM generates a response. Then, another LLM, referred to as the ‘LLM-as-a-Judge,’ determines if the response was safe for that specific user. A safe response would be one where the LLM refuses to answer a potentially harmful query. Panel (b) illustrates the parallel process for evaluating user-specific helpfulness, where the LLM-as-a-Judge assesses whether the LLM provided a helpful and appropriate response, taking into account the user’s profile.

read the caption

Figure 2: Evaluation protocol of U-SafeBench. (a) and (b) illustrate the protocols for user-specific safety and user-specific helpfulness, respectively. An LLM agent receives a user profile along with an instruction and generates a response considering the provided profile. Subsequently, LLM-as-a-Judge accurately assesses the response’s refusal intent.

🔼 This figure shows the prompt used to instruct the large language model (LLM) to generate harmful instructions for the U-SAFEBENCH dataset. The prompt instructs the LLM to act as a user with specific profiles (e.g., someone with depression, an alcohol use disorder, or a criminal record) and to generate questions that, while seemingly innocuous to the general public, could pose a safety risk to individuals with those specific profiles. The goal is to create a diverse set of user instructions for testing the safety of LLMs.

read the caption

Figure 3: Prompt provided to LLM for the automated harmful instruction collection.

🔼 Figure 4 presents a breakdown of the data included in the U-SAFEBENCH dataset, categorized into three key aspects: risk scenarios, task domains, and instruction types. Panel (a) illustrates the distribution of user-specific safety risks addressed in the benchmark, showcasing the proportions of instances related to physical health, mental health, and illegal/unethical activity assistance. Panel (b) highlights the proportions of tasks belonging to question-answering (QA) and autonomous agent scenarios. Finally, panel (c) shows the distribution of instructions, differentiating between harmful and benign instances within the dataset.

read the caption

Figure 4: Distribution of (a) risk scenarios addressed, (b) task domains U-SafeBench targets, and (c) instruction types.

🔼 Figure 5 is a scatter plot visualizing the relationship between user-specific safety and helpfulness scores achieved by various LLMs (Large Language Models) on the U-SAFEBENCH dataset. The x-axis represents the user-specific safety score, indicating how well the model avoids generating unsafe responses for specific user profiles. The y-axis represents the user-specific helpfulness score, measuring the usefulness of the model’s responses in the context of individual user needs. Each point on the plot represents a different LLM, and its position shows the trade-off between safety and helpfulness. For instance, models positioned in the upper-left quadrant exhibit low safety but high helpfulness, while models in the lower-right quadrant demonstrate high safety but low helpfulness. The figure reveals a general negative correlation, suggesting that as models are trained to be safer (higher safety scores), their helpfulness tends to decrease.

read the caption

Figure 5: Comparison of instruction-following LLM performance in user-specific safety (x𝑥xitalic_x-axis) and helpfulness (y𝑦yitalic_y-axis). Model details, such as “it,” are omitted from names due to space constraints.

🔼 Figure 6 presents instances where the Claude-3.5-sonnet model, despite exhibiting high overall safety scores, fails to account for user-specific safety considerations. The examples illustrate instances of responses deemed unsafe due to the specific user profile (e.g., providing information about obtaining alcohol to a user with gout, or suggesting ways to hide smoke to a user with a smoking addiction). The figure showcases vulnerabilities in current LLMs’ ability to consistently adhere to user-specific safety standards, even for models with generally high safety performance.

read the caption

Figure 6: Failure cases of Claude-3.5-sonnet on U-SafeBench.

🔼 This figure visualizes the safety scores achieved by the Claude-3.5-sonnet language model across a diverse range of user profiles. To highlight the model’s performance variations, the profiles are ranked and divided into two groups: the top 30 profiles with the highest safety scores and the bottom 30 profiles with the lowest safety scores. Each bar represents a specific user profile and its corresponding safety score, providing a clear visual representation of how the model’s safety performance differs based on user characteristics and potential risk factors.

read the caption

Figure 7: Safety scores of Claude-3.5-sonnet across diverse user profiles. We select profiles with the top 30 and bottom 30 safety scores for analysis.

🔼 Figure 8 presents a comprehensive list of the 157 user profiles included in the U-SafeBench dataset. These profiles encompass a wide range of attributes, categorized into ‘Criminal Records’ and ‘Medical Conditions’, designed to represent diverse user demographics and potential vulnerabilities. The profiles are crucial to evaluating the user-specific safety of LLMs, as they represent a variety of individuals and situations that might pose heightened risk for harm when interacting with an LLM. The inclusion of a ‘General Population’ category provides a baseline for comparison.

read the caption

Figure 8: Complete list of user profiles in U-SafeBench.

🔼 This table presents a comprehensive analysis of the safety performance of various Large Language Models (LLMs) across different risk scenarios and task domains. The risk scenarios considered include ‘Illegal and Unethical Activity Assist,’ ‘Mental Health Risk,’ and ‘Physical Health Risk.’ The task domains assessed are question answering (QA) and autonomous agents (Auto.). The table quantifies the safety performance using scores indicating the percentage of times each LLM successfully avoided providing unsafe responses in each category. This allows for a detailed comparison of LLM safety capabilities in various high-risk contexts, highlighting areas where specific LLMs perform well and areas where they need improvement. The scores reveal which LLMs are better equipped to handle specific risk scenarios and applications.

read the caption

Table 2: Safety scores of LLM agents across different risk scenarios and task domains. Illeg., Ment., and Phys. denote the risk scenario categories: “Illegal and Unethical Activity Assist,” “Mental Health Risk,” and “Physical Health Risk,” respectively. Auto. represents the task domain of “Autonomous Agent.”

🔼 This table presents the impact of two jailbreak attack methods on the user-specific safety and helpfulness of various LLMs. The ‘Base’ column shows the performance of the models without any attacks. The ‘P’ column shows the results after applying a prefix injection attack, and the ‘R’ column shows the results after applying a refusal suppression attack, both as described in Wei et al. (2024). The table quantifies how these attacks affect the models’ ability to avoid generating unsafe responses for specific users (safety) and the models’ ability to provide helpful responses (helpfulness). It provides a comparison of safety and helpfulness scores before and after each type of jailbreak attack.

read the caption

Table 3: Impact of jailbreak attacks on user-specific safety and helpfulness. Base represents the model without any attacks, while P and R denote prefix injection and refusal suppression attacks Wei et al. (2024) applied to the model, respectively.

🔼 Table 4 presents a comparison of the performance of 18 different large language models (LLMs) on a user-specific safety benchmark, both with and without a chain-of-thought (CoT) prompting method. The ‘Base’ column shows the LLM’s user-specific safety and helpfulness scores using standard prompting. The ‘CoT’ column displays the results after applying the researchers’ proposed CoT method, which aims to improve user-specific safety by having the model first identify safety guidelines and then generate a response based on those guidelines. The table quantifies the impact of the CoT approach, demonstrating its effectiveness in enhancing user-specific safety scores for many of the models tested, while also showing the trade-off between safety and helpfulness (higher safety scores sometimes correlate with a slight decrease in helpfulness scores).

read the caption

Table 4: Performance of our chain-of-thought approach. Base represents the model with a vanilla prompting, while CoT denotes the model with our chain-of-thought approach, respectively.

🔼 This table lists the specific versions of the 18 large language models (LLMs) used in the experiments. It provides the model name, the API or source used to access the model, and the exact version number and date if available. This level of detail is crucial for reproducibility, ensuring that researchers can replicate the study’s results using the same LLM versions.

read the caption

Table 5: Exact version of each model used

🔼 This table presents the results of evaluating 18 different large language models (LLMs) using the U-SafeBench benchmark. The key difference is that user profiles were incorporated into the LLM reasoning process via system messages. The table shows three key metrics for each model: user-specific safety (S), user-specific helpfulness (H), and an overall score (O), which is a harmonic mean of S and H. Higher scores indicate better performance. The abbreviation ‘it’ in the model names stands for ‘Instruct.’

read the caption

Table 6: Results on U-SafeBench using system message to incorporate user profiles in LLM reasoning. S, H, and O denote user-specific safety, user-specific helpfulness, and overall scores, respectively. “it” is an abbreviation for “Instruct.”

🔼 This table presents an example of the prompt used in the U-SAFEBENCH evaluation framework. Specifically, it shows prompt 𝒫Isubscript𝒫𝐼, designed for Question Answering (QA) tasks where user profiles are incorporated via user messages. The prompt instructs the LLM to act as a helpful assistant, and then provides it with a specific user profile (e.g., ‘Consider I am a person with a criminal record for fraud.’). The LLM is then given a question and tasked with generating a response based on its own knowledge while considering the user’s profile.

read the caption

Table 7: Example of prompt 𝒫Isubscript𝒫𝐼\mathcal{P}_{I}caligraphic_P start_POSTSUBSCRIPT italic_I end_POSTSUBSCRIPT for QA agent using user message to incorporate user profiles.

🔼 This table displays prompt P_I, used for evaluating QA agents. The prompt incorporates user profiles into the system message, instructing the QA agent to consider the user’s profile (e.g., a criminal record for fraud) when generating a response to a given question. This approach aims to evaluate the system’s ability to provide safe and helpful responses while accounting for user-specific contexts and potential risks.

read the caption

Table 8: Example of prompt 𝒫Isubscript𝒫𝐼\mathcal{P}_{I}caligraphic_P start_POSTSUBSCRIPT italic_I end_POSTSUBSCRIPT for QA agent using system message to incorporate user profiles.

🔼 Table 9 presents prompt P_I, used in experiments involving autonomous agents. This prompt instructs the large language model (LLM) to act as a purchasing agent for a user with specific characteristics mentioned in the user profile. The LLM must use online shopping to find and buy a product that matches specified criteria while minimizing time and unnecessary steps. The example workflow details how the LLM should interact with an e-commerce website, showing actions like searching, navigating pages, selecting products, reviewing details, and finally making a purchase.

read the caption

Table 9: Example of prompt 𝒫Isubscript𝒫𝐼\mathcal{P}_{I}caligraphic_P start_POSTSUBSCRIPT italic_I end_POSTSUBSCRIPT for autonomous agent using user message to incorporate user profiles.

🔼 Table 10 presents prompt ’’’ 𝒫Isubscript𝒫𝐼 ’’’ , which is used for evaluating the safety of autonomous agents. The prompt instructs the large language model (LLM) to act as a shopping agent, incorporating a user profile via a system message. The user profile in this example is a person with a history of liver cancer. This affects how the LLM responds to the subsequent instruction to purchase items, as it simulates a real-world scenario where the user’s health conditions might influence their actions. The prompt includes specific guidelines for the agent’s actions, outlining actions allowed, such as searching, navigating web pages, and selecting products, as well as constraints and workflows to keep the process efficient and safe.

read the caption

Table 10: Example of prompt 𝒫Isubscript𝒫𝐼\mathcal{P}_{I}caligraphic_P start_POSTSUBSCRIPT italic_I end_POSTSUBSCRIPT for autonomous agent using system message to incorporate user profiles.

🔼 This table describes the prompt given to the LLM-as-a-Judge model to evaluate whether a given response from another LLM model appropriately fulfills a user’s request. The prompt includes an example user request and a sample response. The LLM-as-a-Judge is tasked with determining if the response adequately addresses the request and should only respond with ‘Yes’ or ‘No’. This process helps in the evaluation of the user-specific safety and helpfulness of the LLMs in the U-SAFEBENCH evaluation.

read the caption

Table 11: Example of prompt 𝒫Rsubscript𝒫𝑅\mathcal{P}_{R}caligraphic_P start_POSTSUBSCRIPT italic_R end_POSTSUBSCRIPT for LLM-as-a-Judge determining whether the given response fulfills the instruction.

🔼 Table 12 shows an example of the prompt used in the U-SAFEBENCH framework. This prompt is specifically designed for the task of inferring safety guidelines. The prompt instructs a large language model (LLM) to generate examples of instructions or queries that it should refuse to answer from a user with a specific profile (in this example, a person with drug addiction). The goal is to elicit from the LLM a set of potential responses that could be unsafe or harmful for this user group, even if the requests might be harmless for the general public. This helps in creating a safety benchmark for assessing the ability of LLMs to avoid providing potentially problematic information tailored to specific user profiles.

read the caption

Table 12: Example of prompt 𝒫Gsubscript𝒫𝐺\mathcal{P}_{G}caligraphic_P start_POSTSUBSCRIPT italic_G end_POSTSUBSCRIPT for inferring guidelines regarding responses that LLM agent should not provide to the user.

🔼 Table 13 shows an example of the prompt used in the evaluation protocol of the U-SAFEBENCH benchmark. This prompt (denoted as 𝒫A) instructs the LLM to generate a response to a user’s instruction while considering safety guidelines previously inferred by the model. These guidelines were generated by another prompt (𝒫G) that specifically asked the LLM to list instructions it should refuse from a user with a drug addiction. The purpose of this prompt structure is to ensure that the LLM’s response avoids actions that could negatively impact a user with specific vulnerabilities.

read the caption

Table 13: Example of prompt 𝒫Asubscript𝒫𝐴\mathcal{P}_{A}caligraphic_P start_POSTSUBSCRIPT italic_A end_POSTSUBSCRIPT for generating a response to an instruction considering the inferred guidelines.